Knowledge Tree
Open Source Software policy
Also known as: OSS policy, open source software policies
Facts (13)
Sources
Open source software best practices and supply chain risk ... - GOV.UK gov.uk Mar 3, 2025 13 facts
procedureAn effective open source software policy should include a list of acceptable licenses for both internal and external projects.
claimOpen source software policies should guide processes based on risk levels, where simple dependencies may forego formal approval while critical components require thorough evaluation.
claimTooling serves as a mechanism to reduce the time and resource burden for organizations implementing open source software (OSS) best practices, such as maintaining an OSS policy, an SBOM, and continuous monitoring.
procedureAn effective open source software policy should specify whether open source software can be used in proprietary software or external projects.
referenceAccording to Hammond (2009), an Open Source Software (OSS) policy should be concise, developer-consumable, involve general counsel early and often, classify OSS license types, take control of the process, measure internalization, and be revisited and revised on a regular basis.
claimSoftware composition analysis (SCA) can be used to conduct regular vulnerability assessments, be implemented as part of the continuous integration/continuous deployment (CI/CD) pipeline, and be used to enforce an open-source software policy (Alvarenga, 2023a).
referenceHammond (2009) states that an Open Source Software (OSS) policy should include the goals for OSS adoption, the acquisition process, the rules for the business case, and guidelines for the appropriate use of OSS.
claimImplementing an internal open source software policy allows organizations to formalize adoption processes, set license constraints, and standardize the evaluation of component trustworthiness.
procedureThe GOV.UK report recommends that organizations manage open source software by: (1) establishing an internal open source software policy, (2) creating a Software Bill of Materials (SBOM), (3) continuously monitoring the software supply chain, and (4) promoting engagement with the open source software community.
claimSoftware Bill of Materials (SBOM) usage ensures a source of truth for components used in software, which can be used to enforce internal open source software policies.
referenceOsborne et al. (2023) assert that Open Source Software (OSS) policy steps must be applied to the specific organizational context to be effective.
procedureAn effective open source software policy should detail criteria for assessing the trustworthiness and maturity of open source software components.
claimAn Open Source Software (OSS) policy is a formal document that outlines the rules and guidelines for using open-source software within an organization.